Half of Fortune 500 Firms Infected With DNSChanger

Half of all Fortune 500 companies and major U.S. government agencies own computers infected with the "DNSChanger" malware that redirects users to fake websites and puts organizations at risk of information theft, a security company said today.

DNSChanger, which at its peak was installed on more than four million Windows PCs and Macs worldwide -- a quarter of them in the U.S. alone -- was the target of a major takedown organized by the U.S. Department of Justice last November.

The takedown and accompanying arrests of six Estonian men, dubbed "Operation Ghost Click," was the culmination of a two-year investigation, although some security researchers have been tracking the botnet since 2006. As part of the operation, the FBI seized control of more than 100 command-and-control (C&C) servers hosted at U.S. data centers.

According to Tacoma, Wash.-based Internet Identity (IID), which provides security services to enterprises, half of the firms in the Fortune 500, and a similar percentage of major U.S. government agencies, harbor one or more computers infected with DNSChanger.

IID used telemetry from its monitoring of client networks, as well as third-party data, to claim that at least 250 of the Fortune 500 companies and 27 out of 55 major government agencies had at least one computer or router infected with DNSChanger as of early this year.

The still-infected machines pose several problems, said experts.

"Initially, DNSChanger was worrisome because it could redirect you from a safe location to a dangerous one controlled by criminals," said Rod Rasmussen, the chief technology officer of IID in an emailed statement. "However, the FBI temporarily fixed that. Now, the big worry is that machines that are still infected face a second vulnerability -- they are left with little if any security."

Others, however, have pointed out that computers still infected with DNSChanger have only weeks before they will be crippled.

As part of Operation Ghost Click, a federal judge approved a plan where clean DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software. Without that move, infected systems would have been immediately cut off from the Internet when the FBI seized the criminals' domain servers.

But the ISC was authorized to maintain the alternate DNS servers only for 120 days, or until early next month.

"[The ISC] will shut down the [DNS] servers in March and anybody who is still using those servers will then lose access to the Internet," said Wolfgang Kandek, chief technology officer of Qualys, in a Thursday post to that company's security blog .

Qualys has added DNSChanger detection to its free BrowserCheck tool that runs on Windows PCs, while the umbrella organization DNSChanger Working Group -- of which IID is a member -- has created a website that steps users through the process of detecting and infected PCs and Macs.